CVE-2021-36741: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

CVE-2021-36741 is an improper input validation vulnerability affecting Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1. The vulnerability was discovered and disclosed in July 2021, allowing remote attackers to upload arbitrary files on affected installations. A critical prerequisite for exploitation is that an attacker must first obtain the ability to log on to the product's management console (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability requires low attack complexity and low privileges but can result in high impacts to confidentiality, integrity, and availability of the affected systems (NVD).

If successfully exploited, this vulnerability allows attackers to upload arbitrary files to affected installations, potentially leading to remote code execution. The high CVSS score indicates severe potential impacts on system confidentiality, integrity, and availability (NVD).

Trend Micro has released patches to address this vulnerability. All affected customers are strongly encouraged to update to the latest versions as soon as possible. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog on November 3, 2021, with a remediation due date of November 17, 2021 (CISA).